b'Report No. D-2008-031          December 10, 2007\n\n\n\n\n       Standard Accounting and Reporting\n        System Compliance with Defense\n        Business Transformation System\n              Certification Criteria\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Department of\n  Defense Inspector General at http://www.dodig.mil/audit/reports or contact the\n  Secondary Reports Distribution Unit at (703) 604-8937 (DSN 664-8937) or fax\n  (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Office of the Deputy\n  Inspector General for Auditing at (703) 604-9142 (DSN 664-9142) or fax (703)\n  604-8932. Ideas and requests can also be mailed to:\n\n                       ODIG-AUD (ATTN: Audit Suggestions)\n                       Department of Defense Inspector General\n                         400 Army Navy Drive (Room 801)\n                             Arlington, VA 22202-4704\n\n\n\n\nAcronyms\n\nCCA                   Clinger-Cohen Act\nCIO                   Chief Information Officer\nCONOPS                Concept of Operations\nDBSMC                 Defense Business Systems Management Committee\nDFAS                  Defense Finance and Accounting Service\nDITSCAP               DoD Information Technology Security Certification and\n                         Accreditation Process\nESG                   Executive Steering Group\nFFMIA                 Federal Financial Management Improvement Act\nIRB                   Investment Review Board\nIRWG                  Investment Review Working Group\nNDAA                  National Defense Authorization Act\nOSD                   Office of the Secretary of Defense\nSTARS                 Standard Accounting and Reporting System\nUSD(AT&L)             Under Secretary of Defense for Acquisition, Technology, and\n                         Logistics\n\x0c                              INSPECTOR GENERAL\n\n                            DEPARTMENT OF DEFENSE\n\n                             400 ARMY NAVY DRIVE\n\n                        ARLINGTON, VIRGINIA 22202-4704\n\n\n\n\n                                                                       December 10,2007\n\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR ACQUISITION,\n                 TECHNOLOGY, AND LOGISTICS\n               DIRECTOR, DEFENSE FINANCE AND ACCOUNTING\n                 SERVICE\n\nSUBJECT: Report on Standard Accounting and Reporting System Compliance with\n         Defense Business Transformation System Certification Criteria\n         (Report No. D-2008-031)\n\n\n        We are providing this report for information and use. No written response to this\nreport was required and none was received. Therefore, we are publishing this report in\nfinal form.\n\n        We appreciate the cOUltesies extended to the staff. Questions should be directed\nto Mr. Edward A. Blair at (216) 706-0074, ext. 226 or Mr. Gregory M. Mennetti\nat (216) 706-0074, ext. 267. The team members are listed inside the back cover. See\nAppendix B for the report distribution.\n\n\n\n\n                            Assistant Inspector General and Director\n                              Defense Financial Auditing Service\n\x0c\x0c                Department of Defense Office of Inspector General\nReport No. D-2008-031                                                 December 10, 2007\n   (Project No. D2006-D000FC-0223.000)\n\n      Standard Accounting and Reporting System Compliance with \n\n                  Defense Business Transformation \n\n                    System Certification Criteria \n\n\n                                 Executive Summary \n\n\nWho Should Read This Report and Why? DoD personnel who prepare, review,\ncertify, and approve Defense business system investments will find this report of interest.\nIt addresses the Under Secretary of Defense for Acquisition, Technology, and Logistics\nand Defense Finance and Accounting Service policies and procedures used to certify and\napprove Defense business system modernizations in excess of $1 million. Specifically,\nthis report discusses the procedures used to approve the FY 2006 modernization efforts\nfor the Standard Accounting and Reporting System (STARS).\n\nBackground. The Deputy Under Secretary of Defense for Business Transformation\nrequested that we review DoD Component compliance with the Defense Business\nTransformation System Certification Criteria. This report is one in a series and discusses\ncompliance of the STARS with the Defense Business Transformation System\nCertification Criteria. Additional reports discuss other business systems\xe2\x80\x99 compliance.\n\nThe \xe2\x80\x9cNational Defense Authorization Act for Fiscal Year 2005\xe2\x80\x9d states that funds\nappropriated for Defense business system modernizations in excess of $1 million may not\nbe obligated unless certified by the Designated Approving Authority and approved by the\nDefense Business Systems Management Committee. To comply with the National\nDefense Authorization Act, the Defense Business Systems Management Committee\nissued the Investment Review Board Concept of Operations. The Investment Review\nBoard Concept of Operations provides guidance on certifying Defense business system\ninvestments in excess of $1 million, which requires review and approval by the Office of\nthe Secretary of Defense.\n\nSTARS is a migratory system for the Department of the Navy\xe2\x80\x99s general fund. STARS\nsupports 58 individual appropriations and evolved from the consolidation of 28 Navy\naccounting systems.\n\nResults. The Under Secretary of Defense for Acquisition, Technology, and Logistics and\nthe Defense Finance and Accounting Service did not implement sufficient controls for\npreparing, supporting, pre-certifying, and approving the FY 2006 STARS modernization\npackage. The preparation controls had conflicting submission guidance, which made it\ndifficult for the STARS Program Office to determine what was required for the\nmodernization package. The Defense Finance Accounting Service did not perform a\nvalidation of compliance with certification criteria. In addition, STARS was not\ncompliant with the Clinger-Cohen Act of 1996 and the Federal Financial Management\nImprovement Act. As a result, the STARS modernization package was pre-certified by\nthe Defense Finance and Accounting Service and approved for funding by the Defense\n\x0cBusiness Systems Management Committee without being compliant with all applicable\nFederal laws, which increases the risk of inefficient and ineffective use of resources. To\nmitigate this risk, the Under Secretary of Defense for Acquisition, Technology, and\nLogistics and the Defense Finance and Accounting Service should comply with Federal\nregulations and develop and implement consistent guidance for preparing, validating,\npre-certifying, and approving modernization packages. See the Finding section of the\nreport for a detailed discussion of the results.\n\nManagement Comments and Audit Response. The Under Secretary of Defense for\nAcquisition, Technology, and Logistics and the Director, Defense Finance and\nAccounting Service provided comments on DoD Office of Inspector General Report No.\nD-2008-006, \xe2\x80\x9cReport on Automated Time Attendance and Production System\nCompliance with Defense Business Transformation System Certification Criteria,\xe2\x80\x9d\nOctober 26, 2007. Those comments addressed the issues outlined in this report.\n\nSee DoD Office of Inspector General Report No. D-2008-006 for a discussion of\nmanagement comments and audit response.\n\n\n\n\n                                             ii\n\x0cTable of Contents \n\n\nExecutive Summary                          i\n\n\nBackground                                 1\n\n\nObjectives                                 3\n\n\nReview of Internal Controls                4\n\n\n\nFinding\n     Investment Review Process Controls    5\n\n\nAppendixes\n     A. Scope and Methodology              9\n\n     B. Report Distribution               11 \n\n\x0c\x0cBackground \n\n    The Deputy Under Secretary of Defense (Business Transformation) requested that\n    we review DoD Component compliance with the Defense Business\n    Transformation System Certification Criteria. This report is one in a series and\n    discusses the compliance of the Standard Accounting and Reporting System\n    (STARS) with the Defense Business Transformation System Certification\n    Criteria. Additional reports discuss other business systems\xe2\x80\x99 compliance.\n\n    National Defense Authorization Act. On October 28, 2004, Congress passed\n    Public Law 108-375, \xe2\x80\x9cRonald W. Reagan National Defense Authorization Act for\n    Fiscal Year 2005\xe2\x80\x9d (NDAA). Section 2222 of the NDAA states that funds\n    appropriated for Defense business modernizations in excess of $1 million may not\n    be obligated unless the Designated Approving Authority certifies the\n    modernization to the Defense Business Systems Management Committee\n    (DBSMC) and the DBSMC approves the certification. The NDAA defines\n    business system modernization as \xe2\x80\x9cthe acquisition or development of a new\n    defense business system or any significant modification or enhancement of an\n    existing system.\xe2\x80\x9d In addition, the NDAA required the Secretary of Defense to\n    delegate the review, approval, and oversight of the Defense business systems to\n    the following four Office of the Secretary of Defense (OSD) approval authorities:\n\n           \xe2\x80\xa2\t Under Secretary of Defense for Acquisition, Technology, and\n              Logistics,\n\n           \xe2\x80\xa2\t Under Secretary of Defense (Comptroller),\n\n           \xe2\x80\xa2\t Under Secretary of Defense for Personnel and Readiness, and\n\n           \xe2\x80\xa2\t Assistant Secretary of Defense for Networks and Information\n              Integration and Chief Information Officer of the Department of\n              Defense.\n\n    Each approving authority is required to establish an investment review process\n    that periodically (at least annually) reviews all business system investments. In\n    addition, the process should include an Investment Review Board (IRB) review\n    and approval for each Defense business system.\n\n    Section 186 of the NDAA directed the Secretary of Defense to establish the\n    DBSMC. The DBSMC is responsible for coordinating Defense business system\n    modernization initiatives to maximize benefits and minimize costs, and to ensure\n    that funds are obligated for Defense business systems in a manner consistent with\n    section 2222 of the NDAA.\n\n    Investment Review Board Concept of Operations. On June 2, 2005, the\n    DBSMC issued the \xe2\x80\x9cInvestment Review Process Overview and Concept of\n    Operations for Investment Review Boards\xe2\x80\x9d (CONOPS). The CONOPS integrates\n    policies, specifies responsibilities, and establishes processes to comply with\n    section 2222 of the NDAA. It outlines the investment review process that all\n\n\n\n                                         1\n\n\x0c           IRBs, Components, chief information officers (CIO), and program managers\n           should follow if they have responsibility for business system investments.\n\n           The CONOPS introduces a structured investment review and certification process\n           that includes determining review and certification requirements, Component\n           review, and OSD-level review and certification. The CONOPS identifies three\n           levels of certification review, known as \xe2\x80\x9ctiers.\xe2\x80\x9d Tier certification processes are\n           established based on the program scope, cost, and complexity. The tier process\n           also provides flexibility if the program has been designated as a special interest\n           program. 1 The CONOPS defines the following tier certification processes:\n\n                     \xe2\x80\xa2\t Tier 1 IRB: certification processes that apply to major automated\n                        information systems or programs (currently defined as those which\n                        cost at least $32 million);\n\n                     \xe2\x80\xa2\t Tier 2 IRB: certification processes that apply to modernizations and\n                        investments in excess of $10 million to less than the major automated\n                        information system threshold, or those designated as special interest;\n                        and\n\n                     \xe2\x80\xa2\t Tier 3 IRB: certification processes that apply to those modernizations\n                        and investments in excess of $1 million to less than $10 million.\n\n           The CONOPS also provides guidance on preparing, reviewing, and certifying\n           Defense business system investments in excess of $1 million, which require an\n           OSD-level review. Defense business system investments less than $1 million do\n           not require an OSD-level review and approval, unless designated as a special\n           interest program. Instead, investments less than $1 million require a\n           Component-level review and approval process. 2 The CONOPS requires\n           Components to establish their own governance structures for investment review to\n           support their transformation initiatives. The Component investment review\n           processes should be consistent with the NDAA and the CONOPS.\n\n           Defense Finance and Accounting Service Investment Review Process. The\n           Defense Finance and Accounting Service (DFAS) developed a Component-level\n           review and approval process. For FY 2006 modernization investments in excess\n           of $1 million, DFAS developed and used workbooks that were modeled after the\n           standard set of IRB criteria outlined in the CONOPS. The workbooks contained\n           system-specific questions, and system managers were required to certify if their\n           automated systems were aligned with applicable policies, laws, and regulations.\n           Specifically, system managers were required to indicate if their system was\n           compliant with the DoD certification criteria, which includes the Clinger-Cohen\n           Act of 1996 (CCA); the DoD Information Technology Security Certification and\n           Accreditation Process (DITSCAP); the Federal Financial Management\n           Improvement Act (FFMIA); and the Business Enterprise Architecture.\n\n1\n    Special interest is based on technological complexity, Congressional interest, or program criticality to the\n    achievement of a capability or set of capabilities. Special interest is also based on whether the program is\n    a joint program or whether the resources committed to the program are substantial.\n2\n    The process is referred to as a \xe2\x80\x9cTier 4\xe2\x80\x9d process.\n\n\n\n                                                        2\n\n\x0c    Clinger-Cohen Act of 1996. The CCA establishes a top-down restructuring of\n    Federal information technology acquisition programs. The goal of the CCA is to\n    improve the acquisition and management of Federal information technology\n    programs. The CCA requires the establishment of an efficient and effective\n    information technology program for the Federal Government.\n\n    DoD Information Technology Security Certification and Accreditation\n    Process. The DITSCAP establishes a standard Department-wide process, set of\n    activities, general tasks, and management structure to certify and accredit\n    information systems and maintain the information assurance and security posture\n    of the Defense information infrastructure throughout the life cycle of each system.\n    The accreditation process is a formal declaration by the Designated Approving\n    Authority that an information system is approved to operate in a particular\n    security mode using a prescribed set of safeguards at an acceptable level of risk.\n\n    Federal Financial Management Improvement Act. The FFMIA was created\n    in 1996 to ensure consistent accounting by an agency from one fiscal year to the\n    next. FFMIA also provides uniform accounting standards throughout the Federal\n    Government. Federal financial data, including the full costs of Federal programs\n    and activities, are required so that programs and activities can be considered\n    based on their full costs and merits.\n\n    Standard Accounting and Reporting System. STARS is a general fund\n    accounting and reporting system that accounts for more than $750 billion in\n    appropriated funds for the Navy, Marine Corps, Air Force, and Defense Agencies.\n    The receipt and use of these funds are recorded at the detail transaction level.\n    These detail transactions populate United States Standard General Ledger account\n    balances and are reflected on trial balance reports that are used to prepare major\n    command and departmental audited financial statements, in addition to other\n    fiduciary reports. STARS supports 58 individual appropriations and evolved\n    from the consolidation of 28 Navy accounting systems since its inception.\n\n    DFAS submitted two Tier 3 certification packages for STARS in FY 2006. The\n    first package received DBSMC approval for $1.8 million in capital modernization\n    cost dollars on August 31, 2005. The DBSMC approved the first package prior to\n    the CONOPS implementation date of October 1, 2005, and it was not subject to\n    the IRB approval process. On March 23, 2006, the second package received IRB\n    approval for $950,000 in capital modernization dollars. Even though the second\n    package was approved for less than $1 million, DFAS submitted it as a Tier 3\n    package because the total amount submitted for FY 2006 was $2.75 million.\n\n\nObjectives\n    Our overall audit objective was to determine whether STARS was properly\n    certified and accredited in accordance with the Defense Business Transformation\n    System Certification Criteria. Specifically, we determined if STARS complied\n    with the investment review process. See Appendix A for a discussion of the\n    scope and methodology.\n\n\n\n                                         3\n\n\x0cReview of Internal Controls \n\n     We identified material internal control weaknesses for the Under Secretary of\n     Defense for Acquisition, Technology, and Logistics and Defense Finance and\n     Accounting Service as defined by DoD Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal\n     Control (MIC) Program Procedures,\xe2\x80\x9d January 4, 2006. The Under Secretary of\n     Defense for Acquisition, Technology, and Logistics and Defense Finance and\n     Accounting Service did not have adequate internal controls for preparing,\n     validating, pre-certifying, and approving the STARS modernization package. .\n     Although we identified material weaknesses, we are making no recommendations\n     because DoD Office of Inspector General Report No. D-2008-006, \xe2\x80\x9cReport on\n     Automated Time Attendance and Production System Compliance with Defense\n     Business Transformation System Certification Criteria,\xe2\x80\x9d October 26, 2007,\n     contains recommendations to the Under Secretary of Defense for Acquisition,\n     Technology, and Logistics and Defense Finance and Accounting Service that\n     should correct the material weaknesses identified in this report. A copy of this\n     report will be sent to the senior official in charge of internal controls for the\n     Under Secretary of Defense for Acquisition, Technology, and Logistics and\n     Defense Finance and Accounting Service.\n\n\n\n\n                                         4\n\n\x0c    Investment Review Process Controls\n \n\n           Investment review process controls over the system modernization\n           package were not adequate. The Under Secretary of Defense for\n           Acquisition, Technology, and Logistics (USD[AT&L]) and DFAS did not\n           implement sufficient controls for preparing, validating, pre-certifying, and\n           approving the STARS modernization package. The DFAS preparation\n           and validation controls were ineffective because the investment review\n           guidance issued by DFAS and DoD was insufficient and inconsistent. The\n           USD(AT&L) approval and DFAS pre-certification controls were\n           ineffective because USD(AT&L) and DFAS did not follow DoD\n           certification guidance. Additionally, DoD guidance did not specify the\n           consequences that noncompliance with the IRB criteria would have on the\n           system modernization package approval process. As a result, the STARS\n           modernization package was pre-certified and approved for funding\n           without meeting all of the DoD certification criteria.\n\n\nDFAS Investment Review Process\n    On September 2, 2005, DFAS established its own investment review process and\n    governance structure to support Component transformation initiatives and to\n    comply with CONOPS. DFAS designated the CIO as the headquarters-level\n    authority accountable for business system investments. The CIO acts as the\n    Pre-Certification Authority for all business system modernizations or\n    enhancements up to $10 million. For modernizations in excess of $1 million, the\n    CIO pre-certifies and submits the investment proposals to the IRB.\n\n    DFAS Executive Steering Group. The Executive Steering Group (ESG) is the\n    agency\xe2\x80\x99s primary, executive-level, decision-making body that reports to the\n    Director of DFAS. Among many other responsibilities, the ESG oversees the\n    DFAS portfolio management initiatives. In doing so, the ESG serves as the\n    Component-level IRB for DFAS. It reviews and approves investment proposals\n    based on decision criteria such as the CONOPS and internal DFAS policies and\n    procedures.\n\n    DFAS Investment Review Working Group. The ESG established the DFAS\n    Information Technology Investment Review Working Group (IRWG) to conduct\n    due diligence reviews and provide input on information technology portfolio and\n    investment issues to the ESG. It is chaired by the Deputy CIO and is composed\n    of a representative from each DFAS directorate or business line. The IRWG\n    coordinates and resolves investment issues that arise in the portfolio management\n    processes. It also reviews and recommends approved investment proposals to the\n    ESG.\n\n    DFAS IRB Process for Investments in excess of $1 Million. The IRWG assists\n    in overseeing the DFAS Investment Review Process. Prior to obligating funds for\n    modernizations and enhancements estimated to cost more than $1 million, DFAS\n    required that system managers complete an IRB workbook providing system\n    information. System managers were required to answer system-related questions\n\n\n                                        5\n\n\x0c    and provide supplemental documents such as architecture diagrams. The IRWG\n    reviewed the workbooks and supplemental materials, and if the investment\n    proposals were satisfactory, the IRWG recommended certification to the CIO.\n    The CIO would then pre-certify and recommend approval and certification of the\n    investment proposal to the IRB and the DBSMC.\n\n\nSystem Modernization Package Preparation Controls\n    DFAS did not have sufficient controls over their process for preparing the STARS\n    system modernization package. The CONOPS and the DoD Business Systems\n    Investment Review Proposal Submission Guideline (\xe2\x80\x9cDoD Guideline\xe2\x80\x9d),\n    July 15, 2005, required different documents to be submitted for system\n    modernization packages. The CONOPS and DoD Guidance agreed on only one\n    of seven required documents, as shown in Table 1.\n\n                   Table 1. Required Documentation for a Tier 3 System\n                                 Modernization Package\n                                                                      Guidance\n     Document Title                                              CONOPS DoD Guideline\n     POC Information for Component Pre-Certification Authority      R          A\n     Component Pre-Certification Letter                             R          R\n     Certification Template                                         R          A\n     Defense Business System Certification Dashboard               NR          R\n     Component Economic Viability Analysis                          R          A\n     Independent Cost Review Authority Validation Letter           NR          A\n     Defense Business Systems Investment Summary                   NR          R\n     R = Required by guidance\n     NR = Not required by guidance\n     A = To be made available upon request\n\n\n\n    According to the CONOPS, all IRBs are required to provide consistent guidance\n    to the Component Pre-Certification Authorities. The DFAS process for preparing\n    system modernization packages did not have sufficient controls in place to ensure\n    adequate submission documentation because USD(AT&L) did not provide\n    consistent guidance to its Components. As a result, the conflicting submission\n    guidance made it difficult for the STARS Program Office to clearly determine\n    what was required for the modernization package. For example, the Defense\n    Business System Certification Dashboard is not required by CONOPS, but it is\n    required by the DoD Guideline. To alleviate confusion, USD(AT&L) should\n    revise and issue consistent guidance.\n\n\nSystem Modernization Package Validation Controls\n    DFAS controls over validating the system modernization package did not ensure\n    compliance with laws and regulations. Specifically, DFAS did not have\n    documentation to support a validation for CCA, DITSCAP, and Business\n    Enterprise Architecture compliance, although DFAS stated that STARS was\n    compliant. STARS system management did not have documentation to support\n\n\n                                             6\n\n\x0c     compliance with CCA for FY 2006, and the IRWG did not perform a validation\n     of CCA compliance.\n\n     To improve the process for FY 2007, DFAS began requiring program managers to\n     complete the CCA compliance table found in DoD Instruction 5000.2, \xe2\x80\x9cOperation\n     of the Defense Acquisition System,\xe2\x80\x9d May 12, 2003, which lists 11 requirements\n     for CCA compliance. In addition, Component CIOs should use the acquisition\n     documents identified in the \xe2\x80\x9cCCA Compliance Table\xe2\x80\x9d to assess CCA compliance.\n\n     We reviewed the acquisition documents referenced in the CCA compliance table\n     for FY 2007 to determine whether the documents referenced in the table\n     supported CCA compliance. DFAS did not provide supporting documentation for\n     two of the six sampled compliance table documents. As a result, the FY 2007\n     CCA compliance documentation did not provide auditable evidence that STARS\n     was CCA-compliant. DFAS provided support to show that STARS was\n     compliant with DITSCAP; however, no evidence was available to show that the\n     IRWG performed a validation of the compliance.\n\n     The CONOPS requires a Component-level review of compliance with IRB\n     criteria. Controls over the validation process for compliance with laws and\n     regulations were not adequate because DFAS lacked guidance for validating and\n     documenting compliance with applicable criteria. As a result, DFAS pre-certified\n     the STARS modernization package for funding without the package meeting all\n     certification criteria. Without performing sufficient validation, there is an\n     increased risk that systems could receive funding without meeting applicable\n     certification criteria. To mitigate this risk, DFAS should develop and implement\n     guidance that requires a validation and documentation to show compliance with\n     IRB criteria. DFAS should also specify the consequences that noncompliance\n     with the DFAS Investment Review Process would have on the system\n     modernization package pre-certification and approval process.\n\n\nPre-Certification and Approval Controls\n     Controls over the process for pre-certifying and approving the STARS\n     modernization package were not sufficient. The CONOPS stated that the\n     Pre-Certification Authority should integrate the DoD certification criteria with\n     Component certification criteria for modernization packages costing in excess\n     of $1 million. In addition, the DoD certification criteria require compliance with\n     applicable laws and regulations. The STARS program was not compliant with\n     CCA or FFMIA. In spite of this, it was pre-certified and approved for funding.\n\n            \xe2\x80\xa2\t Clinger-Cohen Act of 1996. The STARS Program Management\n               Office stated that STARS was compliant with the CCA in the\n               certification template workbook, but it could not provide supporting\n               documentation for FY 2006 CCA compliance. The DoD certification\n               criteria required compliance with the CCA. A review of the FY 2007\n               CCA documentation did not provide auditable evidence of\n               compliance; therefore, STARS was not CCA-compliant for FY 2006.\n\n\n\n                                          7\n\n\x0c           \xe2\x80\xa2\t Federal Financial Management Improvement Act. The STARS\n              Program Management Office stated that STARS was not compliant\n              with the FFMIA in the certification template workbook. According to\n              the CONOPS, if a program or initiative is not compliant with FFMIA,\n              the Component must provide justification for noncompliance. The\n              certification template workbook explanation of noncompliance\n              referenced the DFAS memorandum \xe2\x80\x9cFederal Manager\xe2\x80\x99s Financial\n              Integrity Act, Section 4, FY 2003 Report,\xe2\x80\x9d May 23, 2003. The\n              memorandum stated that agency heads who cannot provide a positive\n              statement of assurance in accordance with FFMIA are required to\n              submit a remediation plan. DFAS did not prepare a remediation plan\n              for FFMIA noncompliance and did not comply with this\n              memorandum.\n\n    The approval and pre-certification controls were not adequate because\n    USD(AT&L) and DFAS did not follow DoD certification guidance. As a result,\n    the STARS modernization package was pre-certified and approved for funding\n    without being compliant with all applicable Federal laws, which increases the risk\n    of inefficient and ineffective use of resources. To mitigate this risk, USD(AT&L)\n    and DFAS should comply with Federal laws and regulations and revise or\n    develop guidance that specifies the consequences of noncompliance with IRB\n    criteria on the system modernization package pre-certification and approval\n    process.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    There are no recommendations in this report. The recommendations in DoD\n    Office of Inspector General Report No. D-2008-006, \xe2\x80\x9cAutomated Time\n    Attendance and Production System Compliance with Defense Business\n    Transformation System Certification Criteria,\xe2\x80\x9d October 26, 2007, addressed the\n    issues outlined in this report.\n\n    See DoD Office of Inspector General Report No. D-2008-006 for the discussion\n    of management comments and audit response.\n\n\n\n\n                                        8\n\n\x0cAppendix A. Scope and Methodology \n\n   We conducted this performance audit from July 2006 through May 2007 in\n   accordance with generally accepted government auditing standards. Those\n   standards require that we plan and perform the audit to obtain sufficient,\n   appropriate evidence to provide a reasonable basis for our findings and\n   conclusions based on our audit objectives. We believe that the evidence obtained\n   provides a reasonable basis for our findings and conclusions based on our audit\n   objectives.\n\n   We performed this audit at the DFAS site in Cleveland, Ohio. We reviewed the\n   DFAS Investment Review Process used to approve the obligation of funding for\n   FY 2006 STARS modernization efforts. We interviewed members of the DFAS\n   Investment Review Working Group, as well as the STARS system manager. We\n   also obtained and reviewed DFAS Investment Review Process procedures and\n   documentation. Specifically, we reviewed the Pre-Certification Authority\n   designation letters, the FY 2006 STARS modernization workbook, and\n   supplemental documentation.\n\n   We performed this audit to determine whether STARS was properly certified and\n   accredited in accordance with the Defense Business Transformation Systems\n   Certification Criteria. The audit was performed from July 2006 through\n   February 2007 in accordance with generally accepted government auditing\n   standards. Specifically, we:\n\n          \xe2\x80\xa2\t interviewed personnel and discussed DFAS Investment Review\n             Process policies and procedures at the DFAS Cleveland Program\n             Management Office;\n\n          \xe2\x80\xa2\t reviewed and analyzed the modernization package documentation\n             submitted by DFAS Cleveland to DFAS Headquarters and the\n             Executive Steering Group; and\n\n          \xe2\x80\xa2\t reviewed and analyzed compliance and the validation of compliance\n             with the CCA, DITSCAP, and FFMIA.\n\n   We also reviewed and compared the systems procedures and documentation to the\n   following laws and DFAS guidance related to the investment review process.\n   Specifically, we reviewed:\n\n          \xe2\x80\xa2\t Public Law 108-375 \xe2\x80\x9cRonald W. Reagan National Defense\n             Authorization Act for Fiscal Year 2005,\xe2\x80\x9d October 28, 2004;\n\n          \xe2\x80\xa2\t Public Law 104-208, \xe2\x80\x9cFederal Financial Management Improvement\n             Act,\xe2\x80\x9d September 30, 1996;\n\n          \xe2\x80\xa2\t Public Law 104-106, \xe2\x80\x9cClinger Cohen Act,\xe2\x80\x9d February 10, 1996;\n\n          \xe2\x80\xa2\t DoD Instruction 5000.2, \xe2\x80\x9cOperation of the Defense Acquisition\n             System,\xe2\x80\x9d May 12, 2003;\n\n\n                                       9\n\n\x0c       \xe2\x80\xa2\t DoD Instruction 5200.4, \xe2\x80\x9cDoD Information Technology Security\n          Certification and Accreditation Process,\xe2\x80\x9d December 30, 1997;\n\n       \xe2\x80\xa2\t DoD Manual 8510.1-M, \xe2\x80\x9cDoD Information Technology Security\n          Certification and Accreditation Process Application Manual,\xe2\x80\x9d\n          July 31, 2000;\n\n       \xe2\x80\xa2\t Department of Defense, \xe2\x80\x9cInvestment Review Process Overview and\n          Concepts of Operations For Investment Review Boards,\xe2\x80\x9d\n          May 17, 2005;\n\n       \xe2\x80\xa2\t Department of Defense, \xe2\x80\x9cBusiness Systems Investment Review\n          Proposal Submission Guideline,\xe2\x80\x9d July 15, 2005; and\n\n       \xe2\x80\xa2\t \xe2\x80\x9cDoD Business Systems Investment Review Process: Investment\n          Certification and Annual Review Process User Guidance,\xe2\x80\x9d\n          April 10, 2006.\n\nWe limited the scope to not include a review of the Business Enterprise\nArchitecture compliance. This limitation did not affect the results of this audit.\nWe did not review the management control program as it related to the investment\nreview process because the management control program was not an announced\naudit objective.\n\nUse of Computer-Processed Data. We did not use computer-processed data to\nperform this audit.\n\nGovernment Accountability Office High-Risk Area. The Government\nAccountability Office has identified several high-risk areas in DoD; including the\nDoD Approach to Business Transformation. This report is relevant to the DoD\nApproach to Business Transformation, specifically, DoD Business Systems\nModernization.\n\nPrior Coverage. No prior coverage has been conducted on the Standard\nAccounting and Reporting System investment review process during the\nlast 5 years.\n\n\n\n\n                                    10 \n\n\x0cAppendix B. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\n   Director, Acquisition Resources and Analysis\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nDirector, Program Analysis and Evaluation\nDepartment of Defense, Chief Information Officer\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nCombatant Command\n  Inspector General, U.S. Joint Forces Command\n\nOther Defense Organizations\nDirector, Defense Business Transformation Agency\nDirector, Defense Finance and Accounting Service\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Oversight and Government Reform\nHouse Subcommittee on Government Management, Organization, and Procurement,\n  Committee on Oversight and Government Reform\nHouse Subcommittee on National Security and Foreign Affairs,\n  Committee on Oversight and Government Reform\n\n\n                                          11 \n\n\x0c\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nDefense Financial Auditing Service prepared this report. Personnel of the\nDepartment of Defense Office of Inspector General who contributed to the report\nare listed below.\n\nPaul J. Granetto\nPatricia A Marsh\nEdward A. Blair\nGregory M. Mennetti\nDwayne A. Coulson\nMichael B. Dell, Jr.\nDevon R. Houston\nKendall A. Miller\nDea M. Algeo\nCelita M. Pomales\nAnn L. Thompson\n\x0c\x0c'